External Threat Summary for February 2019

byDigitalStakeout

Hackers Observed Intercepting Two-Factor Authentication SMS Codes

Threat actors in the UK have intercepted two-factor authentication (2FA) SMS messages by exploiting the SS7 telecommunications routing network, allowing them to hijack 2FA one-time codes and allow access to secure website. The attacks have thus far been limited, though appear to be growing in popularity.

YouTube Channel Ransom Scam

Scammers have learned how to abuse YouTube’s “three strikes” policy infringement system to hold channels for ransom. The scam works by a scammer issuing two strikes against a channel and then demanding a ransom before issuing a third strike. According to YouTube policy, if a third strike is issued within three months from the first, the channel will be removed. If the ransom is paid, according to the scam’s messages, the scammer will contact YouTube and remove the first two strikes.

A new malware strain known as CookieMiner contains the ability to steal web browser cookies related to cryptocurrency exchanges and online wallet services, as well as other sensitive information that requires cookies for online transmission, such as passwords, messages, and credit card credentials. The malware seeks to circumvent multi-factor authentication (MFA) by collecting all of the information via the browser.

Eight airlines have been observed sending unencrypted e-ticketing communications including personally-identifiable information (PII) to passengers. Major airlines, such as Southwest, Air France, and KLM, are among the guilty parties. The information can be accessed if an attacker is on the same network as the passenger, allowing the attacker to intercept the messages which contain email, name, document numbers and expiration dates, and even boarding passes.

Google Translate Used as Masker in Phishing Campaign

A phishing campaign designed to steal Google and Facebook credentials uses Google Translate to disguise itself on mobile browsers. The attack works by using Google Translate to represent the fake login page using use a legitimate Google domain. The emails used in the campaign general masquerade as emails “security alert” emails from Google.

.exe Malware also Infects macOS

A new malware strain has been observed bypassing macOS’ security protocols to run malicious .exe files, which normally only run on Windows computers. The malware uses the Mono framework, an open-source version of Microsoft’s .net framework to load the .exe into macOS. Due to the file being a .exe, macOS automatically skips scanning the file for malicious code.

New Phishing Campaign Responds like Legitimate Pop-Up

A new phishing attack uses legitimate HTML and JavaScript to create a legitimate-looking log-in popup window to phish for Facebook or Google passwords. Threat actors are sending links to blogs that prompt visitors to sign in with their Google or Facebook accounts. The link redirects to a fake popup that looks exactly like a legitimate version used by those services themselves, including the use of a green padlock, indicating valid SOURCE: HTTPS. The only way to determine the popup’s authenticity is to attempt to drag it out of the browser. If it leaves the browser window, it is legitimate but if it disappears into the browser’s border, it is fake.

New Malware Family Rietspoof

A new malware family known as Rietspoof uses a multi-stage delivery system. However, despite being observed since Summer 2018, the exact nature and target of the malware remains largely unknown. The malware uses several stages during its infection protocols, apparently checking the host system and loading whichever module operates best for that system’s particular configuration. By using multiple stages during the infrection process, the malware is able to bypass detection step by step.

TurboTax Tax Return Information Exposed

Intuit has reported that an unauthorized actor accessed tax return information belonging to an undisclosed number of TurboTax accounts in a credential stuffing attack – when an attacker collects username and password combinations from one site and attempts to use those combinations on other sites. Intuit’s databases and operation’s systems were not breached in the attack, only weakly secured profiles belonging to individual users. With the recent release of the largest-ever compiled set of usernames and passwords, credential stuffing attacks have proliferated across the internet.

Report Claims Password Managers Leak Information to Local Adversaries

A recent report claims that several popular password manager apps are vulnerable to leaking user data via improper memory flushing techniques. Researchers have found that an attacker with local access can recovery the manager’s information via the OS’ memory heaps. However, the password managers claim that the flaw has been known for some time and is only dangerous is highly limited circumstances. When asked if the flaw will be patched most companies claim that reworking the managers’ memory flushing architecture would be prohibitively expensive to running the programs efficiently and effectively.